How can I forbid users to change their username and email address? Would it make sense to have a global option for this?

I think this is a small security issue in bigger installations where accounts are made automatically and are not of the form firstname_lastname: a user can change name and email so that he/she will appear to be different person.

User name : what for ? Nor related to security in my opinion ?
Logi is already update disable.

About email : by plugin in my opinion. Not add again and again and again and again a new settings ....

A plugin would be good idea, but I think there is no event that could be used for that.

beforeUserSave, but there are a lack of isValid update.

Where is beforeUserSave documented? At least not listed in www.limesurvey.org/manual/Plugin_events

User is a model : www.limesurvey.org/manual/Plugin_events#Model_Events

The model are here : github.com/LimeSurvey/LimeSurvey/tree/master/application/models


I add the link

OK, thanks. Now, how to disable the change? At least return false; and $this->getEvent()->set('success', false); did not work.

DenisChenu wrote: but there are a lack of isValid update.

You can make a feature request please.


BUT : you can reset value.

1. get the model with $model = $this->getEvent()->get('model');
2. Check if isNewrecord www.yiiframework.com/doc/api/1.1/CActive...d#isNewRecord-detail
3. if not reset previous value ($his->email=User::model()->getByPk($model->getPrimaryKey())->getAttribute('email');

I don't quite get this. I tested with

$iUserid = Permission::getUserId();
$model = $this->getEvent()->get('model');
$oUser = User::model()->findByPk($iUserid);
$oUser->email = "just-a-test@test";

and I think it should change anybodys email to just-a-test@test when trying to make any change. But it seems to do nothing.

This work for me

public function beforeUserSave()
{
$user = $this->getEvent()->get('model');
$user->email = "denis@example.org";
}


With your code : you update current user ....

Thanks, now I got this to work. Here is the code snippet:

$user = $this->getEvent()->get('model');
if ($user->isNewRecord) {
// Nothing, setting the name and email for a new user.
return;
}
// Revert to old email address and full name.
$iUserid = Permission::getUserId();
$oUser = User::model()->findByPk($iUserid);
$user->email = $oUser->email;
$user->full_name = $oUser->full_name;

Please : think have a isValid allowed update still better